On 10/9/07, Michael Halcrow <[EMAIL PROTECTED]> wrote: > On Tue, Oct 09, 2007 at 03:39:03AM +0200, Alon Bar-Lev wrote: > > On Friday 05 October 2007, Alon Bar-Lev wrote: > > CONFIGURATION > > > > Configuration is stored at ~/.ecryptfsrc.pkcs11. > > > > Attributes: > > pkcs11-log-level (Integer, decimal) > > Log level of pkcs11-helper, can be from 0-5. > > > > pkcs11-pin-cache-timeout (Integer, decimal) > > Maximum PIN/session cache period in seconds. > > -1 is infinite, until provider invalidates > > session. > > Internally, eCryptfs will parse that into a simple list of name-value > pairs. So you might want: > > --- > pkcs11-pin-cache-timeout=3 > pkcs11-provider-name=bob > pkcs11-provider-allow-protected-auth=true > ---
Please note that I can load multiple providers (enterprises tends to have more than one vendor), so pkcs11-provider-allow-protected-auth should be specified once for each provider. Also if you load multiple keys of the same provider, you don't need to load the provider again. So basically we have module configuration, which is common to an instance, and we have key specific configuration. > In ~/.ecryptfsrc; then, the decision graph nodes with names > "pkcs11-pin-cache-timeout", "pkcs11-provider-name", and > "pkcs11-provider-allow-protected-auth" will automatically get the > corresponding values from the rc file. Or, if they are specified on > the command line, then the decision graph code will grab it from > there. If it is a required value and it is supplied by neither the rc > file or the command line, then the user should be prompted for the > value. > > That is the basic idea. Yes. But it is more complex than that, as I need to be able to load the providers once during the execution. And if I understand correctly the ecryptfs_pkcs11_get_param_subgraph_trans_node is called only for key related information. > If all you need is to get a simple set of values, and if you don't > really need any intelligence behind what happens as you read those > values, then you can avoid having to build your own decision graph > altogether and just generate a key_mod_param array instead, like what > the tspi key module does. I checked this out, but it seems that if get_param_subgraph_trans_node is defined the get_params is not used. Am I right? > All this is ultimately meant to make it possible for parameters to > come from anywhere (rc file, command line, gui, interactive prompt, > etc.) and have key modules be able to get and use them seamlessly. And > I don't claim that our current solution is necessarily the best > possible one. Yes. But I need to load the providers and global settings before the keys. What happens if the user puts the configuration lines in different order? I thought of something like: parameter=pkcs11-provider:name=p1,library=p1 The parameter= will be parsed at initialization and the key= will be parsed later. Best Regards, Alon Bar-Lev. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
